Try out common OAuth2 Grants
Ory OAuth2 & OpenID Connect (based on Ory Hydra) is available in the Ory Network out of the box. This means that you can use OIDC, Authorization Code Grant, Client Credentials Grant, and more, without additional configuration.
Following this guide allows you to experience the most commonly used OAuth2 flows and see how they work in Ory Network. The examples will take you through the following steps:
- Creating OAuth2 clients in the Ory Network with the Ory CLI
- Using the Authorization Code Grant with federation to Ory Identities for user authentication and UI views (login page, consent page) supplied by the Ory Account Experience
- Using the Client Credentials Grant
- Performing token introspection using the Ory CLI
Prerequisites
Before you start, install the Ory CLI.
Client Credentials Grant
The Client Credentials Grant is commonly used in machine-to-machine communications. This allows web services, applications, or devices to call each other without the context of human users. Activity that uses this grant often runs in the background and doesn't require any user interaction.
Follow these steps to try this grant in Ory Network. Create an Ory Network project using the Ory CLI and export the project ID:
ory create project --name "Ory OAuth2 Example"
project_id="{set to the project ID from output}"
-
Create an OAuth2 client:
ory create oauth2-client --project "$PROJECT_ID" \
--name "Client Credentials Demo" \
--grant-type client_credentials -
Export the ID and secret of the created client:
client_id="{set to CLIENT ID from output}"
client_secret="{set to CLIENT SECRET from output}" -
Start the Client Credentials Grant:
ory perform client-credentials \
--client-id="$client_id" \
--client-secret="$client_secret" \
--project "$PROJECT_ID" -
Perform token introspection to get the
access_token
details:# Export 'access_token'
access_token="{set to ACCESS TOKEN from output}"
# Perform token introspection
ory introspect token $access_token --project "$PROJECT_ID"
Authorization Code Grant
The Authorization Code Grant is most commonly used in scenarios where applications need to perform actions on behalf of users. For example, when an online marketplace allows users to add photos from their Google Photos album to listings.
To achieve that, the online marketplace must access the user's Google Photos library on their behalf. If the user accepts the
access scope requested by the app (online marketplace), the app's client gets an id_token
and access_token
pair which is then
used to interact with Google Photos.
This is what using the grant with UI views supplied by the Ory Account Experience looks like:
To try the Authorization Code Grant, follow these steps.
-
Create an Ory Network project using the Ory CLI and export the project ID:
ory create project --name "Ory OAuth2 Example"
project_id="{set to the project ID from output}" -
Create an OAuth2 client
ory create oauth2-client --project "$PROJECT_ID" \
--name "Authorization Code Grant with OpenID Connect Demo" \
--grant-type authorization_code,refresh_token \
--response-type code \
--redirect-uri http://127.0.0.1:4446/callback -
Export the ID and secret of the created client:
code_client_id="{set to CLIENT ID from output}"
code_client_secret="{set to CLIENT SECRET from output}" -
Start the Authorization Code Grant flow:
noteThis opens a sample OAuth2 consumer app in your default browser.
ory perform authorization-code \
--project "$PROJECT_ID" \
--client-id "$code_client_id" \
--client-secret "$code_client_secret"In the browser, use the UI to register a new user and allow the client to get the requested scopes to get an
access_token
, arefresh_token
, and anid_token
. This information is also printed in the terminal used to run the commands. -
Perform token introspection to get the
access_token
details:# Export 'access_token'
code_access_token="{set to ACCESS TOKEN from output}"
# Perform token introspection
ory introspect token $code_access_token --project "$PROJECT_ID"